Unclosed ResourceResolver warning at com.day.cq.search.impl.builder.QueryBuilderImpl
Learn how to solve the unclosed ResourceResolver warning at com.day.cq.search.impl.builder.QueryBuilderImpl.
Description description
Environment
AEM 6.5
Issue/Symptoms
There is an unclosed session warning in logs originating from the QueryBuilderImpl class: 11.01.2018 01:03:18.878 *INFO* [ Apache Sling Resource Resolver Finalizer Thread]
11.01.2018 01:03:18.878 *INFO* [ Apache Sling Resource Resolver Finalizer Thread] org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl Unclosed ResourceResolver was created here:
java.lang.Exception: Opening Stacktrace
at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl$ResolverReference.< init> (CommonResourceResolverFactoryImpl.java:521)
at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.register(CommonResourceResolverFactoryImpl.java:218)
at org.apache.sling.resourceresolver.impl.ResourceResolverImpl.< init> (ResourceResolverImpl.java:101)
at org.apache.sling.resourceresolver.impl.ResourceResolverImpl.< init> (ResourceResolverImpl.java:94)
at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolverInternal(CommonResourceResolverFactoryImpl.java:263)
at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolver(CommonResourceResolverFactoryImpl.java:173)
at org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFactoryImpl.java:105)
at com.day.cq.search.impl.builder.QueryBuilderImpl.createResourceResolver(QueryBuilderImpl.java:210)
at com.day.cq.search.impl.builder.QueryImpl.getResourceResolver(QueryImpl.java:231)
at com.day.cq.search.impl.result.HitImpl.getResource(HitImpl.java:108)
at com.day.cq.search.writer.SimpleHitWriter.writeSimpleJson(SimpleHitWriter.java:54)
at com.day.cq.search.writer.SimpleHitWriter.write(SimpleHitWriter.java:41)
at com.day.cq.search.impl.servlets.QueryBuilderJsonServlet.writeHits(QueryBuilderJsonServlet.java:165)
at com.day.cq.search.impl.servlets.QueryBuilderJsonServlet.handleQuery(QueryBuilderJsonServlet.java:113)
at com.day.cq.search.impl.servlets.QueryBuilderJsonServlet.doGet(QueryBuilderJsonServlet.java:73)
at org.apache.sling.api.servlets.SlingSafeMethodsServlet.mayService(SlingSafeMethodsServlet.java:270)
at org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:140)
at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:346)
at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:378)
at org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:552)
at org.apache.sling.engine.impl.filter.SlingComponentFilterChain.render(SlingComponentFilterChain.java:44)
Resolution resolution
On live AEM sites, it is recommended that /bin/querybuilder URLs are blocked by the dispatcher.
These URLs can be used safely on (internal network facing) author instances, but on live sites, it has the potential to open the system to data disclosure.
The workaround for this bug is to avoid using the /bin/querybuilder servlet and instead use the QueryBuilder API.
After calling the API, manually close the ResourceResolver after processing the query result.
Please find the sample code  For example, here is code leaking resource resolvers:
Query query = queryBuilder.createQuery(…, session);
SearchResult result = query.getResult();
for (Hit hit : result.getHits()) {
// do some processing
}
Workaround code:
// workaround: close internal resource resolver
Iterator< Resource> resources = result.getResources();
if (resources.hasNext()) {
resources.next().getResourceResolver().close();
}